Data is a valuable asset and is a huge factor in many markets to help with production and sales. Interpreting trends and analyzing emerging markets is accomplished by correlating data. Maintaining this data in an appropriate fashion is just as important, especially when it comes to handling personal or sensitive data. Stepping it up even beyond that, matters of national security are to be handled securely as well as defined by preset standards that must be adhered to.
There are many standards and frameworks available, each describing what it does, but they all orient around one main aspect – handling data appropriately and securely. Let’s cover a high-level overview of some current controls that must be adhered to when handling certain sets of data:
– Health Information Trust Alliance Common Security Framework (HITRUST CSF)
This framework is the most widely-adopted among U.S. healthcare industries. It was developed to address many aspects of security, privacy and regulatory challenges organizations were facing. Incorporating foundational work from other known standards (ISO, NIST, PCI, HIPAA, etc.), this scaling framework works with the varying complexities of different organizations.
– Payment Card Industry Data Security Standard (PCI DSS)
Handling payment information properly is imperative, as fraud and identity theft are a serious threat. PCI DSS helps merchants and other financial institutions implement security standards and policies, as well as aiding vendors in understanding and implementing standards for secure payment solutions. Even with new technologies being introduced, securing transactions should still be a focal point for some organizations regardless of the options that are available.
– International Standards Organization (ISO/IEC) 27000-Series
This is a family of standards, the entirety of which focuses on helping manage your organization’s financial information, intellectual property, employee details and information entrusted by 3rd parties. ISO/IEC 27001 is best known regarding the requirements for Information Security Management Systems.
– National Institute of Standards and Technology (NIST)
In February 2013, the President of the United States recognized that the national and economic security of the U.S. was reliant on the function of its critical infrastructure. Thus, Executive Order (EO) 13636 was formulated and NIST worked with stakeholders to create the framework. Special Publication 800-53 specifically focuses on the security controls of federal systems and organizations participating in federal programs and the handling of private information.
– Control Objectives for Information and related Technologies (COBIT)
More geared for large enterprises, COBIT is a framework for governance and management of IT aimed at leading-edge business optimization and the growth. COBIT 5 is the only business framework for the governance and management of enterprise IT. It incorporates many globally accepted principles, practices, analytical tools and models to help build and increase trust in information systems.
With so many standards, knowing just which to use is a tough choice to make. A good thing to remember is that the standards can be used as a guideline and can be molded to better suite your organization’s needs. Guideline adherence is heavily affected by the number of employees, the business being conducted, and the type of data being used. The main things to bear in mind are: just as we wouldn’t want our Social Security number roaming the open Internet, we wouldn’t want our health information or other financial information floating around either. On a grander scale, business conducted with the federal government shouldn’t be taken lightly either. The recently adopted GDPR mandates compliance from any organization that collects personal data from an EU citizento ensures that data is handled properly. – Emil Hozan
References
hitrustalliance.net contributors. Understanding and Leveraging the CSF. Retrieved from https://hitrustalliance.net/understanding-leveraging-csf/
isaca.org contributors. COBIT 5 Framework. Retrieved from http://www.isaca.org/COBIT/Pages/COBIT-5-Framework-product-page.aspx
iso.org contributors. ISO/IEC 27000 family – Information security management systems. Retrieved from https://www.iso.org/isoiec-27001-information-security.html
Joint Task Force Transformation Initiative Interagency Working Group contributors April 2013). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf
NIST.gov contributors. New to Framework. Retrieved from https://www.nist.gov/cyberframework/new-framework
pcisecuritystandards.org contributors. PCI SECURITY. Retrieved from https://www.pcisecuritystandards.org/pci_security/
Stephenson, T. (January 9, 2017). Information Security Assurance: Which framework is right for you? Retrieved from https://www.controlscan.com/blog/right-information-security-assurance-framework/
Thank you for your useful and interesting article. I’d just like to point out that the 27000 series is jointly developed by the IEC and ISO. The correct designation is ISO/IEC 27000.
I’d be grateful if you could please update your article to reflect this fact, also because IEC experts contribute a lot of their time and effort and are disappointed when their work is not acknowledged.
Hello Michael,
Thank you very much for pointing that out – credit is due where credit is deserved. The change has been updated, we appreciate your feedback and continued support by reading our content.
Regards,
Emil Hozan